A macro in the computer science refers to instruction sequences allowed to be used by a programming language in a data file. A macro virus refers to malicious instruction sequences written by a macro language and registered in the data file or a data file template, and when a user opens the data file infected by the macro virus or performs an operation (for example, storing, deleting, etc.) on the data file infected by the macro virus, the macro virus will be activated for running, thus resulting in a consequence desired by the macro virus.
With the development of computers and Internet, more and more people use the office software, and data files carrying macro viruses may be spread easily from one end of the earth to the other end, therefore the influence sphere and perniciousness of the macro viruses should not being overlooked. Currently, the detection and removal of the macro viruses has become a very important part in the computer security technology field.
In the related art, there are two methods for detecting the macro virus. The first method is to use the antivirus software to perform a static analysis on the data file, that is, to use the composite data file format to decompose and identify the structure of the data file, to extract feature codes of all macros in the data file, to match the feature codes of all macros in the data file with feature codes of macro viruses in the virus database, and to clear the macro if matching is successful. The second method is to use an active defense function of the antivirus software to monitor the behaviors of the data file processing program in real time, if malicious behavior is detected, to intercept the behavior, to suspend the execution of the data file processing program, to prompt the result and a possible consequence of executing the behavior, in which only when the user processes the behavior, the data file processing program could be continued.
However, in practical use, with respect to the first method the antivirus software is required to identify and analyze the structures of all data files, but due to a fact that different applications have different data file structures, this method is difficult to be achieved in practical use; in addition, if the data file is encrypted, the antivirus software cannot obtain the specific contents of the data file structure even if it can identify the structure of the data file, resulting in failure of analyzing the structure of the data file. Thus, with the first method, the coverage of macro virus detection is small.
With respect to the second method, more system resources are occupied when the user performs the operation on the data file, therefore affecting the overall performance of the machine. In addition, the detected “malicious behavior” may be a normal operating behavior of the user, or may be a real malicious behavior, which cannot be distinguished by the second method. Thus, in order to ensure security, warnings are given frequently to prompt the user, resulting in a poor user experience.